US11689500B2 - Systems and methods for IP mass host verification - Google Patents
Systems and methods for IP mass host verification Download PDFInfo
- Publication number
- US11689500B2 US11689500B2 US17/217,880 US202117217880A US11689500B2 US 11689500 B2 US11689500 B2 US 11689500B2 US 202117217880 A US202117217880 A US 202117217880A US 11689500 B2 US11689500 B2 US 11689500B2
- Authority
- US
- United States
- Prior art keywords
- domains
- address
- candidate
- identifying
- bad
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 66
- 238000012795 verification Methods 0.000 title description 2
- 230000015654 memory Effects 0.000 claims description 18
- 230000004044 response Effects 0.000 claims description 13
- 238000004590 computer program Methods 0.000 claims description 6
- 230000004224 protection Effects 0.000 description 16
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 238000013500 data storage Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 7
- 230000000717 retained effect Effects 0.000 description 6
- 230000009471 action Effects 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000012552 review Methods 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000008707 rearrangement Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012512 characterization method Methods 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010365 information processing Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
- 230000002123 temporal effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5046—Resolving address allocation conflicts; Testing of addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/16—Threshold monitoring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4552—Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/30—Managing network names, e.g. use of aliases or nicknames
- H04L61/3015—Name registration, generation or assignment
- H04L61/302—Administrative registration, e.g. for domain names at internet corporation for assigned names and numbers [ICANN]
Definitions
- This invention relates generally to cybersecurity, and more particularly to systems and methods that are configured to identify IP mass hosts and determine whether mass identified hosts are “good” or “bad”.
- Cyberthreat protection technologies are designed to protect enterprise computing networks from attacks and threats which originate from malicious or otherwise suspicious domains and/or IP addresses. For instance, a URL of a particular domain may be included in an email message in an attempt to phish the recipient, directing the recipient's browser to the malicious URL and potentially damaging the recipient's computing environment. It may therefore be necessary to remove the malicious URL from the email message before allowing the email to be delivered to the recipients' inbox.
- Some cyberthreat systems maintain lists of domains and/or IP addresses that have bad reputations, and may provide these lists to their customers. Based on these reputation lists, the customers may simply block any actions that are associated with domains or IP addresses that have bad reputations. For example, the customers may block emails that are associated with a “bad” domain or IP address.
- IP mass host When an enterprise chooses to block IP addresses that have bad reputations, an IP mass host may present a problem, in that if one of the domains hosted by the IP addresses is a bad domain (takes malicious or suspicious actions), the bad reputation of the domain may affect the other domains hosted by the IP address. In other words, the enterprise may wish to block the domain, but if the domain is identified by the associated IP address, the other domains hosted by the same address will be similarly identified, and will be blocked, whether they are bad or not. If most of the domains hosted by the IP address are bad, this may not be objectionable. If, however, only a small number of the domains hosted by the IP address are bad while most of them are good, it may not be desirable to block all of the good domains because of the few bad domains.
- Embodiments of the invention are designed to reduce or eliminate one or more of the problems described above. These embodiments achieve these goals by first identifying whether an IP address is an IP mass host, and if the IP address is an IP mass host, determining whether that IP mass host is good or bad.
- determining whether an IP address is an IP mass host is performed by identifying an IP address that may potentially be an IP mass host, examining domain name service (DNS) records for the IP address to identify domains which map to the IP address over a defined look back period, using WHOIS records to identify registrants corresponding to the identified domains, and determining whether more than a predetermined number of unique registrants are associated with the domains hosted by the IP address. If there are more than the predetermined number of unique registrants, the IP address is considered an IP mass host, otherwise it is not.
- DNS domain name service
- determining whether an IP address is an IP mass host is performed in a system with SSL enabled services that uses IP mass hosting style certificates by using OpenSSL queries to determine how many domains are associated with the IP address (assuming that it is using an IP mass hosting style certificate).
- the good/bad character of the IP mass host is determined based on whether the individual domains are good or bad. Most often, the domains will include a combination of some good domains and some bad domains. In some embodiments, the number of bad domains is weighed against the number of good domains. If more than a predetermined percentage (e.g., 10%) of the hosted domains are bad, then the IP address itself is considered to be bad. If the bad domains comprise less than this predetermined percentage, the IP address itself is considered to be a good IP address, even though it hosts one or more bad domains.
- a predetermined percentage e.g. 10%
- One embodiment comprises a method for identifying whether an IP address is an IP mass host, including selecting a first candidate IP address, identifying a set of domains hosted at the first candidate IP address, and identifying one or more registrants of the set of domains. A number of unique registrants within the identified registrants of the domains and it is determined whether the number of unique registrants exceeds a threshold number (e.g., 1). In response to determining that the number of unique registrants exceeds the threshold number, the candidate IP address is determined to be an IP mass host. Ones of the domains that have bad reputations are then identified, and it is determined whether the identified ones of the domains that have bad reputations comprise at least a threshold percentage of the domains. In response to determining that the domains that have bad reputations comprise at least the threshold percentage of the domains, an indication that the first candidate IP address is a bad mass host is stored.
- a threshold number e.g. 1
- selecting the first candidate IP address comprises accessing a release candidate list containing a plurality of IP addresses and selecting the first candidate IP address from the IP addresses in the release candidate list.
- the release candidate list may be compiled from a bad reputation list containing IP addresses that have been identified as having bad reputations.
- storing the indication that a candidate IP address is a bad mass host may comprise maintaining the candidate IP address on the bad reputation list.
- the candidate IP address in response to determining that the ones of the plurality of domains identified as having bad reputations comprise less than the threshold percentage of the plurality of domains, the candidate IP address may be removed from the bad reputation list.
- the domains hosted at the first candidate IP address may be identified by accessing domain name service (DNS) records and identifying domains that map to the first candidate IP address during a defined look back period (e.g., nine months).
- DNS domain name service
- the domains hosted at the first candidate IP address may be identified by examining an IP mass hosting style certificate corresponding to the first candidate IP address, where the IP mass hosting style certificate contains information identifying the plurality of domains.
- identifying the registrants of the domains associated with the candidate IP address comprises performing a WHOIS lookup for each of the identified domains and identifying from retrieved WHOIS information registrants corresponding to the domains.
- One alternative embodiment comprises a system having a processor coupled to a memory, where the memory stores instructions which are executable by the processor to perform a method as described above.
- Another alternative embodiment is a computer program product comprising a non-transitory computer-readable medium storing instructions executable by one or more processors to perform a method as described above.
- Embodiments disclosed herein may provide a number of advantages over the prior art. For example, if an enterprise blocks bad domains based on the IP address associated with the domain, a single bad domain will cause the enterprise to block any domain that uses the same IP address that is associated with the bad domain. Because the embodiments disclosed herein enable identification of IP mass hosts and determining whether the IP mass hosts are good or bad based on the percentage of the hosted domains that are bad, enterprises can use this information to block only IP mass hosts that have enough bad domains (e.g., a predetermined percentage) to justify blocking the good domains with the bad domains. The present embodiments thereby enable more focused responses to cyberthreats than the all-or-nothing response that results from blocking an IP address (IP mass host) because of only a single bad domain associated with the IP address.
- IP mass host IP mass host
- FIG. 1 is a flow diagram illustrating a method for identifying IP mass hosts in accordance with some embodiments.
- FIG. 2 is a diagram illustrating a threat protection system capable of operating in a network computing environment in accordance with some embodiments.
- FIG. 3 is a flow diagram illustrating a method for method for identifying IP mass hosts and determining whether the IP mass hosts are good or bad in accordance with some embodiments.
- FIG. 4 illustrates an example of a single domain with a single indicated registrant in accordance with some embodiments.
- FIG. 5 illustrates an example of multiple domains with a single indicated registrant in accordance with some embodiments.
- FIG. 6 illustrates an example of multiple domains with a multiple indicated registrants in accordance with some embodiments.
- FIG. 7 is a flow diagram illustrating a method for method for identifying IP mass hosts and determining whether they are good or bad in accordance with some embodiments.
- FIG. 8 is a block diagram illustrating an example of a computer structure in which some embodiments can be implemented.
- Embodiments of the present invention enable the identification of IP mass hosts and the determination of whether these IP mass hosts are good or bad, depending upon the good or bad character of the domains that are hosted by the IP mass host.
- an “IP mass host” is an IP address that hosts multiple hostnames or domains that may be owned by different entities.
- a hostname is a domain which is associated with an IP address.
- mail.abcdef.com would be a hostname, which would map to an IP address. It is necessary to perform a DNS lookup to determine if this is a hostname or if mail.abcdef.com is a subdomain (of the domain abcdef.com), since it is not possible to distinguish between the two simply by looking at the hostname or subdomain.
- the top level domain is the rightmost name (in the example of abcdef.com the top level domain is .com).
- Top level domains are useful in some systems because some top level domains may be considered to be universally bad, or the top level domains may be geo-oriented, and the customers may want to avoid top level domains corresponding to certain geographic regions.
- a single IP mass host may potentially have thousands of associated domains. These domains may be owned by various different types of entities, such as hosting providers (e.g., Wordpress), content delivery networks (e.g., Akamai) and DDoS services (e.g., Cloudfront), which host multiple services at a single IP address.
- hosting providers e.g., Wordpress
- content delivery networks e.g., Akamai
- DDoS services e.g., Cloudfront
- An exemplary cyberthreat intelligence service builds reputation on both IP addresses and domains. “Reputation” refers to the good (benign or non-malicious) or bad (malicious or suspicious) character of an IP address or domain. If an IP address or domain “has reputation,” this commonly implies that the reputation is bad.
- IP mass host Yet another problem with conventional methods concerning IP mass hosts is that, even if it is known whether an IP address is an IP mass host, there is no good way to determine whether the IP mass host is a good IP mass host or a bad IP mass host.
- Current methods either treat the IP mass host as a bad IP mass host because it includes even a single a known bad domain, or treat the IP mass host as a good IP mass host because it includes a single safelisted domain. In either case, there may be many other domains associated with the IP mass host that have this characterization that wrongly share this reputation (good or bad), and may therefore cause false positives or false negatives.
- Embodiments of the present invention provides a mechanism that can identify IP mass hosts which are on a reputation list (a “reputation list”) on an IP address by IP address basis in an automated fashion as part of every reputation list update that is published.
- This mechanism is capable of distinguishing between IP mass hosts and non-IP mass hosts, and can also distinguish between good and bad IP mass hosts. As a result, bad IP mass hosts that are on a reputation list can be identified and retained on the reputation list.
- FIG. 1 a flow diagram illustrating a method for identifying IP mass hosts in accordance with some embodiments is shown. This figure illustrates the steps of the method at a high level.
- the method begins with the identification of a candidate IP address which is to be evaluated to determine whether it is an IP mass host (step 102 ).
- the domains associated with the candidate IP address are then identified, such as by performing a passive DNS lookup of domains mapped to the IP address, or obtaining the domains from an SSL certificate (step 104 ).
- the registrant associated with each of the domains is determined by, for example, performing a WHOIS lookup of each domain (step 106 ).
- the candidate IP address is an IP mass host based on the number of unique registrants (step 108 ). If there are more than a predetermined number of registrants associated with the domains, the candidate IP address is considered an IP mass host, and otherwise it is not. If the candidate IP address is determined to be an IP mass host, the IP address is determined to be either a good mass host or a bad mass host based on the percentage of domains associated with the mass host that are bad (step 110 ). If more than a predetermined percentage of the domains are considered to be bad, the IP mass host is also considered to be bad. If less than the predetermined percentage of the domains are bad, the IP mass host is deemed to be good.
- FIG. 2 is a diagram illustrating a threat protection system capable of operating in a network computing environment according to some embodiments.
- the illustrated structure of the threat protection system is intended merely to serve as an example, and alternative embodiments that have different structures may also be suitable to implement the forensics-based clustering techniques disclosed herein.
- a customer 202 such as a business enterprise is communicatively connected to one or more domains 208 a - 208 c (collectively referred to herein by reference number 208 ) through a network 204 such as the internet.
- Each of domains 208 is hosted by an IP mass host 206 that has a corresponding IP address. Since each of domains 208 is hosted by IP mass host 208 , each of the domains has the same IP address. Consequently, whenever one of domains 208 (a bad actor) takes some malicious action, customer 202 can only identify it as having originated from the IP address associated with the bad actor. The customer cannot distinguish which one of the domains hosted at the IP address (of domains 208 a , 208 b , 208 c ) is the bad actor.
- Threat protection system 210 provides services to protect the customer against threats posed by domains 208 .
- Threat protection system 210 in this embodiment maintains a reputation list 212 which identifies malicious or suspicious domains, potentially including any one of domains 208 that are hosted at IP address 206 .
- Threat protection system 210 is configured to examine candidates on reputation list 212 to determine whether these candidates can be released from the reputation list so that good domains are not unnecessarily blocked because they are on the reputation list.
- Threat protection system 210 may identify a candidate IP address from the reputation list and examine passive DNS data from DNS server 214 to determine how many domains have been mapped to this IP address over some recent look back period. For each of the domains that is identified during this process, the threat protection system performs a WHOIS lookup of the domain using WHOIS server 216 to identify a corresponding registrant of the domain.
- the registrant is the organization that registers the domain. Multiple domains can be registered to the same registrant if they are owned by the same owner (e.g., a person or entity). When multiple domains are registered by the same registrant, they are treated for the purposes of this disclosure as having the same owner.
- the threat protection system determines from the WHOIS lookup information how many unique registrants are associated with the domains hosted by the candidate IP address. If there is only a single registrant, the IP address is not considered an IP mass host, so it is retained on the reputation list. If there is more than a single registrant, the IPS is considered an IP mass host, so the threat protection system determines whether the IP address corresponds to a good IP mass host, or a bad IP mass host.
- this is accomplished by determining the number of bad domains that are hosted at the IP address of the IP mass host. If the bad domains comprise at least a predetermined percentage of the hosted domains, then the IP mass host is considered to be bad, and the IP address would be retained on the reputation list. Otherwise, the IP mass host is considered to be good, and the IP address would be removed from the reputation list.
- FIG. 3 a flow diagram illustrating a method for method for identifying IP mass hosts and determining whether the IP mass hosts are good or bad in accordance with one embodiment is shown.
- this method is implemented in connection with a threat protection system that maintains a reputation list, or list of IP addresses that have bad reputations. This list is used by customers of the threat protection system to determine which IP addresses and domains should be blocked as a result of malicious or suspicious activity by the IP addresses or domains.
- the first step in the method is to access the reputation list (step 302 ) and to identify a candidate IP address from the reputation list (step 304 ). This candidate will be examined to determine whether it should be retained on the reputation list, or released from the reputation list.
- a passive DNS scan is performed for the candidate IP address to identify domains that map to the candidate IP address. Because the activity which is associated with an IP address may change over time, older information is not as relevant as newer information, so the system is concerned with the activity that occurs only within a predetermined interval, or “look back period”. For example, in one embodiment, the system looks up only the domains that map to the IP address within the preceding nine months (the look back period).
- FIG. 4 an example is shown of a passive DNS lookup for an IP address that returns only a single domain. Since only a single domain is associated with the IP address, the address is not considered to be an IP mass host.
- FIG. 5 another example is of a passive DNS lookup is shown. In this example, the DNS lookup for the IP address returns multiple (eight) domains. Since this IP address has multiple associated domains, it may be an IP mass host, depending upon the number of registrants associated with the identified domains.
- a WHOIS record contains all of the contact information associated with the person, group, or company that registers a particular domain name.
- each WHOIS record will contain information such as the name and contact information of the Registrant (who owns the domain), the name and contact information of the Registrar (the organization or commercial entity that registered the domain name), the registration dates, the name servers, the most recent update, and the expiration date.
- WHOIS records may also provide the administrative and technical contact information (which is often, but not always, the registrant).
- the WHOIS lookup information for each domain will identify the registrant, although it should be noted that the registration information for some domains may be incomplete, and may not identify corresponding registrants. For the domains that do include registrant information, some of the domains may have the same registrant, rather than having unique registrants for the different domains.
- the system determines whether there are more than a predetermined number, N, of unique registrants (step 310 ). In one embodiment, the predetermined number is one. If there are not two or more unique registrants for the domains, the candidate IP address is determined not to be an IP mass host (step 322 ). In this case, the IP address can legitimately be considered to be a bad IP address, and is maintained on the reputation list.
- the IP address is not considered to be an IP mass host.
- the IP address is not considered to be an IP mass host.
- the WHOIS lookup indicates that the same registrant is associated with each of the domains. Since there is only one unique registrant associated with the IP address, it is determined that the IP address is not an IP mass host.
- FIG. 6 another example of an IP address and associated domain and registrant information is shown.
- the passive DNS lookup resulted in the identification of 51 domains that map to the candidate IP address.
- the WHOIS lookup is performed for the identified domains, three unique registrant organizations are identified. Since, in this embodiment, an IP address is considered to be an IP mass host if it is associated with two or more unique registrants, this IP address is deemed an IP mass host.
- the step of determining whether there are more than a predetermined number of unique registrants is intended to prevent an IP address from being treated as an IP mass host if all of the hosted domains appear to be controlled by a single entity (a single registrant). If the domains have multiple, different registrants, it is more likely the case that the IP address may legitimately host good domains as well as bad domains, and should be considered to determine whether the IP mass host might actually be a good IP mass host. If, on the other hand all of the domains hosted at the IP address of the IP mass host have the same registrant, it is likely that the different domains are under common control, so if one of the domains is bad it is less likely that the others are legitimately good domains.
- the candidate IP address is considered to be an IP mass host (step 312 ). In this case, it is desirable to determine whether the candidate IP address is a good IP mass host, or a bad IP mass host. To achieve this, the system identifies which of the domains that are hosted at the candidate IP address are bad domains (step 314 ). The number of bad domains is determined in relation to the total number of domains that are hosted at the candidate IP address, and it is determined whether the bad domains comprise more than a predetermined percentage of the total domains that are hosted at this address (step 316 ).
- the IP address is a bad IP mass host (step 318 )
- the IP address is retained on the reputation list (step 320 ). Customers using the reputation list to block bad domains can therefore continue to block domains associated with this IP address with increased confidence that the blocked domains are more likely to be bad domains, and that there is less likelihood that good domains will be blocked.
- the candidate IP address is deemed to be a good IP mass host (step 324 ), and the candidate IP address is released from the reputation list (step 326 ).
- the process avoids situations in which a large number of good domains may be blocked as the result of a single bad domain (or very few bad domains) hosted at the IP address.
- the method may be implemented in a system that has Secure Sockets Layer (SSL) enabled services.
- SSL Secure Sockets Layer
- This system uses IP mass hosting style certificates which identify the associated domains.
- SSL Certificates are data files that digitally bind a cryptographic key to an organization's details to enable secure connections from a web server to a browser.
- IP mass hosting style certificates contain information including the domain names that are hosted by the IP address.
- OpenSSL queries to determine how many domains are associated with the IP address.
- OpenSSL is a commercial-grade toolkit for SSL and Transport Layer Security (TLS) protocols, and also provides a general-purpose cryptography library.
- FIG. 7 a flow diagram illustrating a method for method for identifying IP mass hosts and determining whether they are good or bad in accordance with an alternative embodiment in an SSL enabled environment is shown.
- This method is similar to the method of FIG. 3 , but uses the SSL certificates that are available in this environment to determine the domains associated with the IP address.
- This method begins by accessing a reputation list to identify a candidate IP address from the list (step 702 ).
- an openssl query is performed to retrieve the SSL certificate associated with the candidate IP address.
- the query may, for example, have the following form:
- the SSL certificate retrieved using the example query includes domain information as shown below.
- the system After identifying the domains corresponding to the candidate IP address, the system performs a WHOIS lookup for each of the identified domains to identify the registrant for each of these domains (step 708 ). The system determines whether there are more than a predetermined number of unique registrants (step 710 ) for the identified domains. If the threshold number of unique registrants for the domains (e.g., two or more) is not met, the IP address is not considered to be an IP mass host, and is maintained on the reputation list (step 722 ).
- a predetermined number of unique registrants e.g., two or more
- the candidate IP address is determined to be an IP mass host (step 712 ), and it is determined whether the candidate IP address is a good IP mass host, or a bad IP mass host.
- step 714 This is done by identifying which of the domains hosted at the candidate IP address are bad domains (step 714 ).
- the number of bad domains is compared to the total number of domains hosted at the candidate IP address, and it is determined whether the bad domains are more than a predetermined percentage of the total domains (step 716 ). If the percentage of the hosted domains is greater than the predetermined percentage, the IP address is a bad IP mass host (step 718 ), and the IP address is retained on the reputation list (step 720 ). If the bad domains comprise less than the predetermined percentage of the total domains, the candidate IP address is deemed to be a good IP mass host (step 724 ), and the candidate IP address is released from the reputation list (step 726 ).
- Embodiments discussed herein can be implemented in a computer communicatively coupled to a network (for example, the Internet), another computer, or in a standalone computer.
- a suitable computer can include a central processing unit (“CPU”) 802 , a computer memory 804 such as a read-only memory (“ROM”), random access memory (“RAM”), hard drive (“HD”), and one or more input/output (“I/O”) device(s) 806 .
- the I/O devices which can be coupled to a display 808 and a data storage device 810 , can include a keyboard, monitor, printer, electronic pointing device (for example, mouse, trackball, stylus, touch pad, etc.), or the like.
- the computer has a network interface 812 and a wireless component 814 for communicating with other computing devices over various types of networks.
- ROM, RAM, and HD are computer memories for storing computer-executable instructions executable by the CPU or capable of being compiled or interpreted to be executable by the CPU. Suitable computer-executable instructions may reside on a computer readable medium (e.g., ROM, RAM, and/or HD), hardware circuitry or the like, or any combination thereof.
- a computer readable medium e.g., ROM, RAM, and/or HD
- the term “computer readable medium” is not limited to ROM, RAM, and HD and can include any type of data storage medium that can be read by a processor.
- Examples of computer-readable storage media can include, but are not limited to, volatile and non-volatile computer memories and storage devices such as random access memories, read-only memories, hard drives, data cartridges, direct access storage device arrays, magnetic tapes, floppy diskettes, flash memory drives, optical data storage devices, compact-disc read-only memories, and other appropriate computer memories and data storage devices.
- a computer-readable medium may refer to a data cartridge, a data backup magnetic tape, a floppy diskette, a flash memory drive, an optical data storage drive, a CD-ROM, ROM, RAM, HD, or the like.
- the processes described herein may be implemented in suitable computer-executable instructions that may reside on a computer readable medium (for example, a disk, CD-ROM, a memory, etc.).
- a computer readable medium for example, a disk, CD-ROM, a memory, etc.
- the computer-executable instructions may be stored as software code components on a direct access storage device array, magnetic tape, floppy diskette, optical storage device, or other appropriate computer-readable medium or storage device.
- Any suitable programming language can be used to implement the routines, methods or programs of embodiments of the invention described herein, including C, C++, Java, JavaScript, HTML, or any other programming or scripting code, etc.
- Other software/hardware/network architectures may be used.
- the functions of the disclosed embodiments may be implemented on one computer or shared/distributed among two or more computers in or across a network. Communications between computers implementing embodiments can be accomplished using any electronic, optical, radio frequency signals, or other suitable methods and tools of communication in compliance with known network protocols.
- Any particular routine can execute on a single computer processing device or multiple computer processing devices, a single computer processor or multiple computer processors. Data may be stored in a single storage medium or distributed through multiple storage mediums, and may reside in a single database or multiple databases (or other data storage techniques).
- steps, operations, or computations may be presented in a specific order, this order may be changed in different embodiments. In some embodiments, to the extent multiple steps are shown as sequential in this specification, some combination of such steps in alternative embodiments may be performed at the same time.
- the sequence of operations described herein can be interrupted, suspended, or otherwise controlled by another process, such as an operating system, kernel, etc.
- the routines can operate in an operating system environment or as stand-alone routines. Functions, routines, methods, steps and operations described herein can be performed in hardware, software, firmware or any combination thereof.
- Embodiments described herein can be implemented in the form of control logic in software or hardware or a combination of both.
- the control logic may be stored in an information storage medium, such as a computer-readable medium, as a plurality of instructions adapted to direct an information processing device to perform a set of steps disclosed in the various embodiments.
- an information storage medium such as a computer-readable medium
- a person of ordinary skill in the art will appreciate other ways and/or methods to implement the invention.
- a “computer-readable medium” may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, system or device.
- the computer readable medium can be, by way of example only but not by limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, system, device, propagation medium, or computer memory.
- Such computer-readable medium shall generally be machine readable and include software programming or code that can be human readable (e.g., source code) or machine readable (e.g., object code).
- non-transitory computer-readable media can include random access memories, read-only memories, hard drives, data cartridges, magnetic tapes, floppy diskettes, flash memory drives, optical data storage devices, compact-disc read-only memories, and other appropriate computer memories and data storage devices.
- some or all of the software components may reside on a single server computer or on any combination of separate server computers.
- a computer program product implementing an embodiment disclosed herein may comprise one or more non-transitory computer readable media storing computer instructions translatable by one or more processors in a computing environment.
- a “processor” includes any, hardware system, mechanism or component that processes data, signals or other information.
- a processor can include a system with a general-purpose central processing unit, multiple processing units, dedicated circuitry for achieving functionality, or other systems. Processing need not be limited to a geographic location, or have temporal limitations. For example, a processor can perform its functions in “real-time,” “offline,” in a “batch mode,” etc. Portions of processing can be performed at different times and at different locations, by different (or the same) processing systems.
- the terms “comprises,” “comprising,” “includes,” “including,” “has,” “having,” or any other variation thereof, are intended to cover a non-exclusive inclusion.
- a process, product, article, or apparatus that comprises a list of elements is not necessarily limited to only those elements but may include other elements not expressly listed or inherent to such process, product, article, or apparatus.
- the term “or” as used herein is generally intended to mean “and/or” unless otherwise indicated. For example, a condition A or B is satisfied by any one of the following: A is true (or present) and B is false (or not present), A is false (or not present) and B is true (or present), and both A and B are true (or present).
- a term preceded by “a” or “an” includes both singular and plural of such term, unless clearly indicated otherwise (i.e., that the reference “a” or “an” clearly indicates only the singular or only the plural).
- the meaning of “in” includes “in” and “on” unless the context clearly dictates otherwise.
Abstract
Description
-
- openssl s_client-connect 157.185.172.22:443</dev/null 2>/dev/null|openssl x509-inform pem-text|grep-A1 “Subject Alternative Name”|we-|
-
- *.chinalive.com, *.dayjauy.net, *.5054399.com, *.aiwan4399.com, *.3839.com,
- *.4399.cn, *.163.com, *.iwan4399.com, *.mitagtenni.net, *.ourdvsss.com,
- *.3839app.com, *.bmwgroup.cn, *.unccodo.com, *.coviniya.com,
- *.chidaress.com, *.foxijn.com, *.debence.net, *.syyx.com, *.livechina.cn,
- *.ipanda.com, *.ipanda.net, *.iseeyoo.cn, *.cntvwb.cn, *.cntv.cn, *.cctvpic.com,
- dl.jphbpk.gxpan.cn, m.bbs.3839.com, h5.selfiecity.meitu.com, *.v.2008.cctv.com, cdn.ssjj.iwan4399.com, upload.qf.56.com, *.vdn.apps.cntv.cn, *.diary.my.cntv.cn, api.beautymaster.meiyan.com, h5.beautymaster.meiyan.com, api.selfiecity.meitu.com, pvmessage.cn.bmwgroup.com,
- www.miniclip.com.4399pk.com
Claims (20)
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/217,880 US11689500B2 (en) | 2021-01-26 | 2021-03-30 | Systems and methods for IP mass host verification |
EP21177873.3A EP4033716A1 (en) | 2021-01-26 | 2021-06-04 | Systems and methods for ip mass host verification |
US18/317,826 US20230291708A1 (en) | 2021-01-26 | 2023-05-15 | Systems and methods for ip mass host verification |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US202163141774P | 2021-01-26 | 2021-01-26 | |
US17/217,880 US11689500B2 (en) | 2021-01-26 | 2021-03-30 | Systems and methods for IP mass host verification |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/317,826 Continuation US20230291708A1 (en) | 2021-01-26 | 2023-05-15 | Systems and methods for ip mass host verification |
Publications (2)
Publication Number | Publication Date |
---|---|
US20220239625A1 US20220239625A1 (en) | 2022-07-28 |
US11689500B2 true US11689500B2 (en) | 2023-06-27 |
Family
ID=76305741
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US17/217,880 Active US11689500B2 (en) | 2021-01-26 | 2021-03-30 | Systems and methods for IP mass host verification |
US18/317,826 Pending US20230291708A1 (en) | 2021-01-26 | 2023-05-15 | Systems and methods for ip mass host verification |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/317,826 Pending US20230291708A1 (en) | 2021-01-26 | 2023-05-15 | Systems and methods for ip mass host verification |
Country Status (2)
Country | Link |
---|---|
US (2) | US11689500B2 (en) |
EP (1) | EP4033716A1 (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11949693B2 (en) * | 2021-05-11 | 2024-04-02 | AVAST Software s.r.o. | User and group specific threat protection system and method |
Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2006094271A2 (en) * | 2005-03-02 | 2006-09-08 | Markmonitor, Inc. | Distribution of trust data |
US20070130316A1 (en) * | 2004-09-07 | 2007-06-07 | Bhavin Turakhia | System and method to generate hosting company statistics |
US20080270209A1 (en) * | 2007-04-25 | 2008-10-30 | Michael Jon Mauseth | Merchant scoring system and transactional database |
US20090089859A1 (en) | 2007-09-28 | 2009-04-02 | Cook Debra L | Method and apparatus for detecting phishing attempts solicited by electronic mail |
US8219709B2 (en) * | 2002-07-05 | 2012-07-10 | Carolyn J Hughes | Method for internet name sharing |
WO2015065380A1 (en) * | 2013-10-30 | 2015-05-07 | Hewlett-Packard Development Company, L.P. | Domain name and internet protocol address approved and disapproved membership inference |
US20150213131A1 (en) * | 2004-10-29 | 2015-07-30 | Go Daddy Operating Company, LLC | Domain name searching with reputation rating |
US9391949B1 (en) * | 2010-12-03 | 2016-07-12 | Amazon Technologies, Inc. | Request routing processing |
US10104103B1 (en) * | 2018-01-19 | 2018-10-16 | OneTrust, LLC | Data processing systems for tracking reputational risk via scanning and registry lookup |
EP3407572A1 (en) * | 2017-05-23 | 2018-11-28 | Verisign, Inc. | Detection of aberrant domain registration and resolution patterns |
US20190182289A1 (en) * | 2015-07-11 | 2019-06-13 | RiskRecon Inc. | Systems and Methods for Monitoring Information Security Effectiveness |
US20190199688A1 (en) * | 2017-12-26 | 2019-06-27 | Qadium, Inc. | Autonomous alerting based on defined categorizations for network space and network boundary changes |
US20210014252A1 (en) * | 2019-07-11 | 2021-01-14 | International Business Machines Corporation | Domain clustering for malicious campaign identification |
US10911477B1 (en) * | 2016-10-20 | 2021-02-02 | Verisign, Inc. | Early detection of risky domains via registration profiling |
US20210105304A1 (en) * | 2019-10-04 | 2021-04-08 | Expanse, Inc. | Network asset lifecycle management |
-
2021
- 2021-03-30 US US17/217,880 patent/US11689500B2/en active Active
- 2021-06-04 EP EP21177873.3A patent/EP4033716A1/en active Pending
-
2023
- 2023-05-15 US US18/317,826 patent/US20230291708A1/en active Pending
Patent Citations (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8219709B2 (en) * | 2002-07-05 | 2012-07-10 | Carolyn J Hughes | Method for internet name sharing |
US20070130316A1 (en) * | 2004-09-07 | 2007-06-07 | Bhavin Turakhia | System and method to generate hosting company statistics |
US20150213131A1 (en) * | 2004-10-29 | 2015-07-30 | Go Daddy Operating Company, LLC | Domain name searching with reputation rating |
WO2006094271A2 (en) * | 2005-03-02 | 2006-09-08 | Markmonitor, Inc. | Distribution of trust data |
US20080270209A1 (en) * | 2007-04-25 | 2008-10-30 | Michael Jon Mauseth | Merchant scoring system and transactional database |
US20090089859A1 (en) | 2007-09-28 | 2009-04-02 | Cook Debra L | Method and apparatus for detecting phishing attempts solicited by electronic mail |
US9391949B1 (en) * | 2010-12-03 | 2016-07-12 | Amazon Technologies, Inc. | Request routing processing |
WO2015065380A1 (en) * | 2013-10-30 | 2015-05-07 | Hewlett-Packard Development Company, L.P. | Domain name and internet protocol address approved and disapproved membership inference |
US20190182289A1 (en) * | 2015-07-11 | 2019-06-13 | RiskRecon Inc. | Systems and Methods for Monitoring Information Security Effectiveness |
US10911477B1 (en) * | 2016-10-20 | 2021-02-02 | Verisign, Inc. | Early detection of risky domains via registration profiling |
EP3407572A1 (en) * | 2017-05-23 | 2018-11-28 | Verisign, Inc. | Detection of aberrant domain registration and resolution patterns |
US20190199688A1 (en) * | 2017-12-26 | 2019-06-27 | Qadium, Inc. | Autonomous alerting based on defined categorizations for network space and network boundary changes |
US10104103B1 (en) * | 2018-01-19 | 2018-10-16 | OneTrust, LLC | Data processing systems for tracking reputational risk via scanning and registry lookup |
US20210014252A1 (en) * | 2019-07-11 | 2021-01-14 | International Business Machines Corporation | Domain clustering for malicious campaign identification |
US20210105304A1 (en) * | 2019-10-04 | 2021-04-08 | Expanse, Inc. | Network asset lifecycle management |
Non-Patent Citations (3)
Title |
---|
European Search Report issued for EP Application No. 21177873.3, dated Nov. 5, 2021, 8 pages. |
Pawan Prakash et al., "PhishNet: Predictive Blacklisting to Detect Phishing Attacks," Infocom 2020 Proceedings IEEE, Mar. 14, 2010, pp. 1-5. |
Sandeep Yadav et al., "Detecting Algorithmically Generated Malicious Domain Names," Proceedings of the 10th Annual Conference on Internet Measurement, Nov. 1, 2020, pp. 48-61. |
Also Published As
Publication number | Publication date |
---|---|
EP4033716A1 (en) | 2022-07-27 |
US20230291708A1 (en) | 2023-09-14 |
US20220239625A1 (en) | 2022-07-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11647043B2 (en) | Identifying security actions based on computing asset relationship data | |
US11831785B2 (en) | Systems and methods for digital certificate security | |
JP6526895B2 (en) | Automatic mitigation of electronic message based security threats | |
US11044270B2 (en) | Using private threat intelligence in public cloud | |
US11470029B2 (en) | Analysis and reporting of suspicious email | |
US9787714B2 (en) | Phishing and threat detection and prevention | |
US20190215330A1 (en) | Detecting attacks on web applications using server logs | |
US8554907B1 (en) | Reputation prediction of IP addresses | |
US10708300B2 (en) | Detection of fraudulent account usage in distributed computing systems | |
WO2007062086A2 (en) | Domain name system security network | |
US11700272B2 (en) | Threat actor identification systems and methods | |
US20230291708A1 (en) | Systems and methods for ip mass host verification | |
US20210314355A1 (en) | Mitigating phishing attempts | |
US11509691B2 (en) | Protecting from directory enumeration using honeypot pages within a network directory | |
US10735457B2 (en) | Intrusion investigation | |
Gruss et al. | Use-after-freemail: Generalizing the use-after-free problem and applying it to email services | |
He et al. | Healthcare security incident response strategy-a proactive incident response (ir) procedure | |
US11770388B1 (en) | Network infrastructure detection | |
Sherstobitoff et al. | You installed Internet security on your network: is your company safe? | |
WO2023250285A1 (en) | Devices, systems, and methods for categorizing, prioritizing, and mitigating cyber security risks | |
WO2023141103A1 (en) | Deep learning pipeline to detect malicious command and control traffic | |
WO2023220063A1 (en) | Cryptographic inventory system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
AS | Assignment |
Owner name: PROOFPOINT, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:WOODBERG, BRADLEY SCOTT;GROVES, DOYLE JOSEPH;SIGNING DATES FROM 20210325 TO 20210330;REEL/FRAME:056296/0608 |
|
AS | Assignment |
Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK Free format text: SECOND LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:PROOFPOINT, INC.;REEL/FRAME:057389/0642 Effective date: 20210831 Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK Free format text: FIRST LIEN INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:PROOFPOINT, INC.;REEL/FRAME:057389/0615 Effective date: 20210831 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: PROOFPOINT, INC., CALIFORNIA Free format text: RELEASE OF SECOND LIEN SECURITY INTEREST IN INTELLECTUAL PROPERTY;ASSIGNOR:GOLDMAN SACHS BANK USA, AS AGENT;REEL/FRAME:066865/0648 Effective date: 20240321 |